refactor: store claims value parsed in non-JAR PAR

panva · Feb 1, 2024 · 9cd865b · 9cd865b
1 parent b7d3322
commit 9cd865b
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/lib/actions/authorization/pushed_authorization_request_response.js b/lib/actions/authorization/pushed_authorization_request_response.js
@@ -22,7 +22,13 @@ export default async function pushedAuthorizationRequestResponse(ctx, next) {
     dpopJkt = thumbprint || ctx.oidc.params.dpop_jkt;
   } else {
     ttl = MAX_TTL;
-    request = new UnsecuredJWT({ ...ctx.oidc.params })
+    const payload = { ...ctx.oidc.params };
+
+    if (payload.claims) {
+      payload.claims = JSON.parse(payload.claims);
+    }
+
+    request = new UnsecuredJWT(payload)
       .setIssuedAt(now)
       .setIssuer(ctx.oidc.client.clientId)
       .setAudience(ctx.oidc.issuer)

diff --git a/test/pushed_authorization_requests/pushed_authorization_requests.config.js b/test/pushed_authorization_requests/pushed_authorization_requests.config.js
@@ -16,6 +16,9 @@ merge(config.features, {
     requirePushedAuthorizationRequests: false,
     enabled: true,
   },
+  claimsParameter: {
+    enabled: true,
+  },
   requestObjects: {
     request: false,
     requestUri: false,

diff --git a/test/pushed_authorization_requests/pushed_authorization_requests.test.js b/test/pushed_authorization_requests/pushed_authorization_requests.test.js
@@ -90,11 +90,17 @@ describe('Pushed Request Object', () => {
                 .auth(clientId, 'secret')
                 .type('form')
                 .send({
+                  scope: 'openid',
                   response_type: 'code',
                   client_id: clientId,
                   iss: clientId,
                   extra: 'provided',
                   aud: this.provider.issuer,
+                  claims: JSON.stringify({
+                    id_token: {
+                      auth_time: { essential: true },
+                    },
+                  }),
                 })
                 .expect(201)
                 .expect(({ body }) => {
@@ -114,7 +120,11 @@ describe('Pushed Request Object', () => {
               const header = decodeProtectedHeader(stored.request);
               expect(header).to.deep.eql({ alg: 'none' });
               const payload = decodeJwt(stored.request);
-              expect(payload).to.contain.keys(['aud', 'exp', 'iat', 'nbf', 'iss']);
+              expect(payload).to.contain.keys(['aud', 'exp', 'iat', 'nbf', 'iss']).to.have.deep.property('claims', {
+                id_token: {
+                  auth_time: { essential: true },
+                },
+              });
             });
 
             it('forbids request_uri to be used', async function () {